From 93f6a87eb68290616a7a068fd8963d566ac1774f Mon Sep 17 00:00:00 2001 From: wh02252983 Date: Fri, 7 Nov 2025 10:16:15 +0800 Subject: [PATCH] [CVE] add patch to fix CVE-2025-53066 To # N/A add patch to fix CVE-2025-53066 Project: TC2024080204 Signed-off-by: wh02252983 --- fix-CVE-2025-53066.patch | 302 +++++++++++++++++++++++++++++++++++++++ java-17-openjdk.spec | 10 +- 2 files changed, 310 insertions(+), 2 deletions(-) create mode 100644 fix-CVE-2025-53066.patch diff --git a/fix-CVE-2025-53066.patch b/fix-CVE-2025-53066.patch new file mode 100644 index 0000000..ad36e8a --- /dev/null +++ b/fix-CVE-2025-53066.patch @@ -0,0 +1,302 @@ +From 770db9328cc5ad574bd61a2e42f1a4c5601c0405 Mon Sep 17 00:00:00 2001 +From: Aleksei Voitylov +Date: Wed, 3 Sep 2025 00:40:31 +0000 +Subject: [PATCH] 8356294: Enhance Path Factories + +Reviewed-by: abakhtin, fferrari +Backport-of: 65fb43fdae221be75f2657697b96ddf996ebca44 +--- + .../jaxp/DocumentBuilderFactoryImpl.java | 26 ++++++++++++++++--- + .../xpath/internal/jaxp/XPathFactoryImpl.java | 8 ++++-- + .../apache/xpath/internal/jaxp/XPathImpl.java | 9 ++++--- + .../xpath/internal/jaxp/XPathImplUtil.java | 12 +++++++-- + .../classes/jdk/xml/internal/JdkXmlUtils.java | 18 ++++++++++++- + .../jdk/xml/internal/XMLSecurityManager.java | 16 ++++++++++++ + 6 files changed, 77 insertions(+), 12 deletions(-) + +diff --git a/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java b/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java +index 1bffeba6ac6..07ef047bb39 100644 +--- a/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java ++++ b/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java +@@ -22,7 +22,6 @@ + + import com.sun.org.apache.xerces.internal.parsers.DOMParser; + import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; +-import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; + import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; + import java.util.HashMap; + import java.util.Map; +@@ -32,6 +31,7 @@ + import javax.xml.parsers.ParserConfigurationException; + import javax.xml.validation.Schema; + import jdk.xml.internal.JdkProperty; ++import jdk.xml.internal.XMLSecurityManager; + import org.xml.sax.SAXException; + import org.xml.sax.SAXNotRecognizedException; + import org.xml.sax.SAXNotSupportedException; +@@ -39,7 +39,7 @@ + /** + * @author Rajiv Mordani + * @author Edwin Goei +- * @LastModified: May 2021 ++ * @LastModified: June 2025 + */ + public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory { + /** These are DocumentBuilderFactory attributes not DOM attributes */ +@@ -54,8 +54,26 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory { + private boolean fSecureProcess = true; + + // used to verify attributes +- XMLSecurityManager fSecurityManager = new XMLSecurityManager(true); +- XMLSecurityPropertyManager fSecurityPropertyMgr = new XMLSecurityPropertyManager(); ++ XMLSecurityManager fSecurityManager; ++ XMLSecurityPropertyManager fSecurityPropertyMgr; ++ ++ /** ++ * Creates a new {@code DocumentBuilderFactory} instance. ++ */ ++ public DocumentBuilderFactoryImpl() { ++ this(null, null); ++ } ++ ++ /** ++ * Creates a new {@code DocumentBuilderFactory} instance with a {@code XMLSecurityManager} ++ * and {@code XMLSecurityPropertyManager}. ++ * @param xsm the {@code XMLSecurityManager} ++ * @param xspm the {@code XMLSecurityPropertyManager} ++ */ ++ public DocumentBuilderFactoryImpl(XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) { ++ fSecurityManager = (xsm == null) ? new XMLSecurityManager(true) : xsm; ++ fSecurityPropertyMgr = (xspm == null) ? new XMLSecurityPropertyManager() : xspm; ++ } + + /** + * Creates a new instance of a {@link javax.xml.parsers.DocumentBuilder} +diff --git a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java +index c99b4917cd0..a4de6a0fc12 100644 +--- a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java ++++ b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java +@@ -21,6 +21,7 @@ + package com.sun.org.apache.xpath.internal.jaxp; + + import com.sun.org.apache.xalan.internal.res.XSLMessages; ++import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; + import com.sun.org.apache.xpath.internal.res.XPATHErrorResources; + import javax.xml.XMLConstants; + import javax.xml.xpath.XPathFactory; +@@ -37,7 +38,7 @@ + * + * @author Ramesh Mandava + * +- * @LastModified: Jan 2022 ++ * @LastModified: June 2025 + */ + public class XPathFactoryImpl extends XPathFactory { + +@@ -74,6 +75,7 @@ public class XPathFactoryImpl extends XPathFactory { + * The XML security manager + */ + private XMLSecurityManager _xmlSecMgr; ++ private XMLSecurityPropertyManager _xmlSecPropMgr; + + /** + * javax.xml.xpath.XPathFactory implementation. +@@ -86,6 +88,7 @@ public XPathFactoryImpl() { + } + _featureManager = new JdkXmlFeatures(!_isNotSecureProcessing); + _xmlSecMgr = new XMLSecurityManager(true); ++ _xmlSecPropMgr = new XMLSecurityPropertyManager(); + } + + /** +@@ -135,7 +138,7 @@ public boolean isObjectModelSupported(String objectModel) { + */ + public javax.xml.xpath.XPath newXPath() { + return new XPathImpl(xPathVariableResolver, xPathFunctionResolver, +- !_isNotSecureProcessing, _featureManager, _xmlSecMgr); ++ !_isNotSecureProcessing, _featureManager, _xmlSecMgr, _xmlSecPropMgr); + } + + /** +@@ -189,6 +192,7 @@ public void setFeature(String name, boolean value) + if (value && _featureManager != null) { + _featureManager.setFeature(JdkXmlFeatures.XmlFeature.ENABLE_EXTENSION_FUNCTION, + JdkProperty.State.FSP, false); ++ _xmlSecMgr.setSecureProcessing(value); + } + + // all done processing feature +diff --git a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java +index bddc73811ee..553d8bbe068 100644 +--- a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java ++++ b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java +@@ -20,6 +20,7 @@ + + package com.sun.org.apache.xpath.internal.jaxp; + ++import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; + import com.sun.org.apache.xpath.internal.*; + import com.sun.org.apache.xpath.internal.objects.XObject; + import javax.xml.namespace.NamespaceContext; +@@ -47,7 +48,7 @@ + * New methods: evaluateExpression + * Refactored to share code with XPathExpressionImpl. + * +- * @LastModified: Jan 2022 ++ * @LastModified: June 2025 + */ + public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath { + +@@ -57,12 +58,13 @@ public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath { + private NamespaceContext namespaceContext=null; + + XPathImpl(XPathVariableResolver vr, XPathFunctionResolver fr) { +- this(vr, fr, false, new JdkXmlFeatures(false), new XMLSecurityManager(true)); ++ this(vr, fr, false, new JdkXmlFeatures(false), new XMLSecurityManager(true), ++ new XMLSecurityPropertyManager()); + } + + XPathImpl(XPathVariableResolver vr, XPathFunctionResolver fr, + boolean featureSecureProcessing, JdkXmlFeatures featureManager, +- XMLSecurityManager xmlSecMgr) { ++ XMLSecurityManager xmlSecMgr, XMLSecurityPropertyManager xmlSecPropMgr) { + this.origVariableResolver = this.variableResolver = vr; + this.origFunctionResolver = this.functionResolver = fr; + this.featureSecureProcessing = featureSecureProcessing; +@@ -70,6 +72,7 @@ public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath { + overrideDefaultParser = featureManager.getFeature( + JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER); + this.xmlSecMgr = xmlSecMgr; ++ this.xmlSecPropMgr = xmlSecPropMgr; + } + + +diff --git a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java +index 14b47fd5dae..2d0cc2a3597 100644 +--- a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java ++++ b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java +@@ -30,7 +30,9 @@ + import com.sun.org.apache.xpath.internal.axes.LocPathIterator; + import com.sun.org.apache.xpath.internal.objects.XObject; + import com.sun.org.apache.xpath.internal.res.XPATHErrorResources; ++import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; + import java.io.IOException; ++import javax.xml.XMLConstants; + import javax.xml.namespace.QName; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.parsers.ParserConfigurationException; +@@ -54,7 +56,7 @@ + * This class contains several utility methods used by XPathImpl and + * XPathExpressionImpl + * +- * @LastModified: Jan 2022 ++ * @LastModified: June 2025 + */ + class XPathImplUtil { + XPathFunctionResolver functionResolver; +@@ -67,6 +69,7 @@ class XPathImplUtil { + boolean featureSecureProcessing = false; + JdkXmlFeatures featureManager; + XMLSecurityManager xmlSecMgr; ++ XMLSecurityPropertyManager xmlSecPropMgr; + + /** + * Evaluate an XPath context using the internal XPath engine +@@ -129,7 +132,12 @@ Document getDocument(InputSource source) + // + // so we really have to create a fresh DocumentBuilder every time we need one + // - KK +- DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory(overrideDefaultParser); ++ DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory( ++ overrideDefaultParser, xmlSecMgr, xmlSecPropMgr); ++ if (xmlSecMgr != null && xmlSecMgr.isSecureProcessingSet()) { ++ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, ++ xmlSecMgr.isSecureProcessing()); ++ } + return dbf.newDocumentBuilder().parse(source); + } catch (ParserConfigurationException | SAXException | IOException e) { + throw new XPathExpressionException (e); +diff --git a/src/java.xml/share/classes/jdk/xml/internal/JdkXmlUtils.java b/src/java.xml/share/classes/jdk/xml/internal/JdkXmlUtils.java +index 3cb0cb32143..eef3b752e85 100644 +--- a/src/java.xml/share/classes/jdk/xml/internal/JdkXmlUtils.java ++++ b/src/java.xml/share/classes/jdk/xml/internal/JdkXmlUtils.java +@@ -29,6 +29,7 @@ + import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl; + import com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl; + import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings; ++import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; + import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; + import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; + import javax.xml.XMLConstants; +@@ -312,6 +313,21 @@ public static Document getDOMDocument() { + */ + @SuppressWarnings("removal") + public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser) { ++ return getDOMFactory(overrideDefaultParser, null, null); ++ } ++ ++ /** ++ * {@return a DocumentBuilderFactory instance} ++ * ++ * @param overrideDefaultParser a flag indicating whether the system-default ++ * implementation may be overridden. If the system property of the ++ * DOM factory ID is set, override is always allowed. ++ * @param xsm XMLSecurityManager ++ * @param xspm XMLSecurityPropertyManager ++ */ ++ @SuppressWarnings("removal") ++ public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser, ++ XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) { + boolean override = overrideDefaultParser; + String spDOMFactory = SecuritySupport.getJAXPSystemProperty(DOM_FACTORY_ID); + +@@ -320,7 +336,7 @@ public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser + } + DocumentBuilderFactory dbf + = !override +- ? new DocumentBuilderFactoryImpl() ++ ? new DocumentBuilderFactoryImpl(xsm, xspm) + : DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + // false is the default setting. This step here is for compatibility +diff --git a/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java b/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java +index cf803eca3d4..a1873a9052a 100644 +--- a/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java ++++ b/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java +@@ -191,6 +191,12 @@ public static enum Processor { + */ + boolean secureProcessing; + ++ /** ++ * Flag indicating the secure processing is set explicitly through factories' ++ * setFeature method and then the setSecureProcessing method ++ */ ++ boolean secureProcessingSet; ++ + /** + * States that determine if properties are set explicitly + */ +@@ -238,6 +244,7 @@ public XMLSecurityManager(boolean secureProcessing) { + * Setting FEATURE_SECURE_PROCESSING explicitly + */ + public void setSecureProcessing(boolean secure) { ++ secureProcessingSet = true; + secureProcessing = secure; + for (Limit limit : Limit.values()) { + if (secure) { +@@ -256,6 +263,15 @@ public boolean isSecureProcessing() { + return secureProcessing; + } + ++ /** ++ * Returns the state indicating whether the Secure Processing is set explicitly, ++ * via factories' setFeature and then this class' setSecureProcessing method. ++ * @return the state indicating whether the Secure Processing is set explicitly ++ */ ++ public boolean isSecureProcessingSet() { ++ return secureProcessingSet; ++ } ++ + /** + * Finds a limit's new name with the given property name. + * @param propertyName the property name specified diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 2fc1c6f..38bb1b1 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -13,7 +13,7 @@ # Only produce a release build on x86_64: # $ fedpkg mockbuild --without slowdebug --without fastdebug -%global anolis_release 4 +%global anolis_release 5 # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -1242,7 +1242,9 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +# https://github.com/openjdk/jdk17u/commit/770db9328cc5ad574bd61a2e42f1a4c5601c0405 +Patch7: fix-CVE-2025-53066.patch # Crypto policy and FIPS support patches # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u @@ -1677,6 +1679,7 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch6 -p1 +%patch7 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security @@ -2493,6 +2496,9 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Nov 7 2025 wh02252983 - 1:17.0.5.8-5 +- add patch to fix CVE-2025-53066 + * Thu Nov 09 2023 Leslie Zhai - 1:17.0.5.0.8-4 - Disable gdb -- Gitee